From edd82be58d8acd2846c0cd4978b5ce32b6ce8388 Mon Sep 17 00:00:00 2001
From: Mahmoud Al-Qudsi <mqudsi@neosmart.net>
Date: Wed, 20 Nov 2024 14:53:39 -0600
Subject: [PATCH] Fix crash on invalid CSI parameters

If a semicolon-delimited list of CSI parameters contained an (invalid) long
sequence of ascii numeric characters, the original code would keep multiplying
by ten and adding the most recent ones field until the `params[count][subcount]`
u32 value overflowed.

This was found via automated fuzz testing of the `try_readch()` routine against
a corpus of some proper/valid CSI escapes.
---
 src/input_common.rs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/input_common.rs b/src/input_common.rs
index e223c2323..20b4124ec 100644
--- a/src/input_common.rs
+++ b/src/input_common.rs
@@ -846,13 +846,17 @@ pub trait InputEventQueuer {
         let mut subcount = 0;
         while count < 16 && c >= 0x30 && c <= 0x3f {
             if c.is_ascii_digit() {
-                params[count][subcount] = params[count][subcount] * 10 + u32::from(c - b'0');
+                // Return None on invalid ascii numeric CSI parameter exceeding u32 bounds
+                params[count][subcount] = params[count][subcount]
+                    .checked_mul(10)
+                    .and_then(|result| result.checked_add(u32::from(c - b'0')))?;
             } else if c == b':' && subcount < 3 {
                 subcount += 1;
             } else if c == b';' {
                 count += 1;
                 subcount = 0;
             } else {
+                // Unexpected character or unrecognized CSI
                 return None;
             }
             c = next_char(self);